Your USB flash drive is a pretty handy little tool, isn’t it? It’s also a potential instrument of evil that could impersonate other hardware and steal keystrokes or hijack your Internet connection.

That’s according to a pair of researchers from Germany’s SR Labs. They’ve developed proof-of-concept code that’s capable of tricking a computer into thinking one type of USB device is something else. Worse yet, they say it can be done without tripping any alerts from an operating system or today’s antimalware software.

Obviously, SR Labs’ announcement has stirred up discussion all over the web. Reactions cover the expected range — from “burn all your USB devices now!” to “nothing to worry about.” So who’s right? We won’t really know until SR Labs presents their findings in detail, but here’s how things look right now.

Most industry insiders that have engineered a USB device are saying two things. First, that this flaw isn’t anything new. It’s been known about for years, and there have been previous talks at security conferences on the subject. Second, that it’s generally not a simple task to rewrite the firmware on a USB device — specialized tools are required and they may only work with one specific firmware controller. That’s why these folks never pressed the panic button.

It’s a fundamental flaw, to be sure, but it’s one that isn’t necessarily that easy to exploit. It’s also not that practical, not in an age when people are more than happy to install malware if you pay them a few cents. This USB flaw may never actually post a serious security risk to most users at home, but it could be used for targeted attacks. That’s generally how USB has been used in the past — infections like Stuxnet, for example.

Assuming someone (probably a nation state) decided to plan an attack based on this flaw, the doomsday scenario would probably go like this: a state-sponsored actor has been injecting insecure firmware into a major brand’s peripherals for years. Millions of people around the globe have bought keyboards, mice, and webcams from this company, and they’re all blissfully unaware that anything is amiss.

When the time comes, a targeted attack is launched on the web. That attack then sniffs out the vulnerable devices, sends the commands to rewrite the firmware, and it’s game over. Any targets that were hit would now be running a rogue USB device that could act as much more than an ordinary keyboard, mouse, or camera.

Once that happens, the malware’s creator is in control. Whatever their plans might be — to capture keystrokes, sniff account information, upload documents — we’d be unable to stop it with today’s defenses. It’s a scary prospect, but really… it seems as though if someone wanted to exploit this they would have already done it long ago.

Still, it’s a good time to remind people that you shouldn’t just plug any old USB device into your computer. That’s never really been a good idea, whether it’s because Windows ME might choke on it or because your OS hadn’t been updated to prevent USB autoruns from injecting malware onto your system.